Some Android apps caught covertly sending GPS data to advertisers

Researchers have found that a significant number of Android applications are …

The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.

The Android operating system has an access control mechanism that limits the availability of key platform features and private user information. Third-party applications that rely on sensitive features have to request permission during the installation process. The user has the option of canceling the installation if they do not wish to give the application access to the specific features that it requests. If a user starts to install a simple arcade-style game and finds out that it wants access to the user's GPS coordinates, for example, the seemingly suspicious permission request might compel the user to refrain from completing the installation process.

It's a practical security measure, but one critical limitation is that there is no way for the user to discern how and when the application will use a requested feature or where it will send the information. To build on our previous example, the user might decide to grant an Android game access to their GPS coordinates so that the software can facilitate multiplayer matches with nearby users. The user has no way of knowing, however, whether the application is also transmitting that information to advertisers or using it for malicious purposes. Making the permission system more granular might potentially address those kinds of problems, but would also have the undesired affect of making it too complex for some users to understand. Indeed, there are already a lot of careless users who simply don't take the time to look at the permission listing or don't understand the implications.

Concerns about unauthorized access to private information by Android applications were raised earlier this year when a popular wallpaper application was found surreptitiously transmitting the user's phone number to a remote server in China. Google's investigation of the matter revealed that the developer of the application was simply using the phone number as a unique identifier for user accounts and was not threatening the user's security or doing anything nefarious. Google responded by publishing an overview of best practices for handling sensitive user information. Google temporarily disabled the application in the Android Market while performing a security review, but later reenabled it after finding no evidence of a serious threat.

Google's ability to remove unambiguously malicious applications from the Android Market protects users from the most egregious kinds of attacks, but obviously doesn't really address the multitude of gray areas where the implications of data collection and disclosure are more nuanced and don't constitute blatant abuse. It's really important to recognize that even highly invasive data collection by mobile applications doesn't necessarily pose a threat to users. There are millions of users who are happy to voluntarily concede privacy in exchange for free access to useful services. The key is that it has to be voluntary, which means that users have to know in advance that the information is going to be collected.

When a mobile advertising widget embedded in Android applications collects IMEI numbers so that it can correlate a user's activity across multiple applications for the purpose of extrapolating a behavioral profile that will support more effective targeted advertising, it's really not all that different from what prominent Internet advertising networks are already doing with cookies in the Web browser.

For a more invasive example, consider a mobile application that perhaps reads your SMS messages looking for information about what kind of products your friends mention so that it can advertise to you more effectively. In practice, it's not profoundly different from what Google does with contextual advertising in GMail. It wouldn't surprise me at all if the possibility of doing exactly these kinds of things was a major factor in inspiring Google to create Android in the first place. As smartphones become ubiquitous, it's likely that users will be expected to give up more of their privacy in order to get access to the next generation of hot mobile applications and services.

Invasive mobile data collection by advertisers isn't necessarily bad if users are getting something of value in return. The real issue is whether the practice is coupled with an appropriate level of transparency and disclosure to the end user. What separates a legitimate business practice from an unacceptable abuse in data collection is whether the user was made aware in advance of how data is collected, used, and shared so that they can choose to opt out or refrain from using the product if it shares their sensitive information in ways that make them uncomfortable. Such problems are obviously not specific to Android or mobile operating systems in general, but the fact that smartphone platforms provide standardized APIs for accessing certain kinds of sensitive information make them higher-risk targets for subtle privacy invasions.

As Google says in its list of best practices that developers should adopt for data collection, providing users with easy access to a clear and unambiguous privacy policy is really important. Google should enhance the Android Market so that application developers can make their privacy policies directly accessible to users prior to installing, a move that would be really advantageous for end users. When applications share information improperly, don't conform with the stipulations of their privacy policies, or aren't suitably transparent about their data collection practices, tools like TaintDroid will be a powerful asset for enabling savvy users and privacy watchdogs to expose such abuses. The researchers behind the TaintDroid project will soon be publishing their results and plan to make the TaintDroid application available to the public in order to encourage further investigations. Their efforts to raise awareness of data collection by mobile applications is an important contribution to the advancement of safe mobile computing.

When I use an application without paying anything, I expect that I'm instead handing something else of value over to the provider. Such as the right to read my messages (gmail), or other info (Facebook, LinkedIn) etc. So far so good.

But I'm paying for my phone! So I expect to keep my privacy in return; or at the very least being told (with a possibility to opt out) when that privacy is being invaded. And believe me, I consider a scan of my SMS inbox, or my GPS coordinates, to be **private** information.

I suddenly became less sure that I want an Android phone - if this stuff gets built into the platform, instead of being a feature of particular apps.

Why is it that we consider invasive advertising built into a personal device acceptable? I don't!

I was under the impression that part of Apple's approval process involved checking this. There are a number of reports of apps being rejected for sending user data and advertising stats are specifically outlined as being banned.

.milFox, I did say "if this gets built into the platform". It's more-or-less fine as long as that behaviour is a feature of particular apps and they need my permission; it gets much less fine when it creeps into the platform and becomes a feature of apps that are core functionality.

The fact that we're seeing advertising functionality as a "feature" of mobile operating systems is a strong hint about where we're going. What happens when all the majors decide that they will provide their advertisers with more tracking data (IMEI for correlation, cell if not GPS coordinates etc)? Unless there is awareness and resistance, that is a probable future outcome, and then we'll be trapped.

What happens when the app has a legitimate reason for checking your location? Most people expect that their restaurant reservation app or movie showtime app will query their GPS position. The app store approval process is said to actually check the nature of the data being acquired and the places it’s sent.

When I install FindCheapestGasStation.apk I’m going to expect the GPS warning. If I wasn’t ready to click through on it I wouldn’t even have downloaded the app since it’s obvious it would use that data.

An app can have both a legitimate reason for the data *and* also collate it for statistical and tracking purposes. Thereby defeating reviewers looking out for you.

You're splitting hairs. There's no way that scenario could ever be avoided but at least with a review process, there is some type of system in place to catch the bad guys.

For Android, all you have shown are two links to apps for rooted phones which appears to have a 50/50 split between one and five star reviews and where many of the comments state the app doesn't work as advertised.

An app can have both a legitimate reason for the data *and* also collate it for statistical and tracking purposes. Thereby defeating reviewers looking out for you.

The reviewer is less likely to be defeated than the user. The user needs to be particularly savvy to find out stuff like “this app is polling GPS every 30 seconds, even when not initiated”. There are very few users who would even know how to do this. Conversely, the reviewer is specifically trained and tooled to discover the above.

I’m not claiming that nothing can slip by the reviewer, but they are specifically trained to root these issues out. I would say the likelihood of them finding it is higher than the likelihood of a user finding it.

I've never understood why Android lists the services an app uses... any advertising paid app needs full internet access, almost all of them ask for personal details, and a fair number for GPS...

problem is - I don't know what an app actually requires, nor do I mostly care - I either want the app (ergo will ignore the warnings) or I don't. Without a list of 'we sell your data to doubleclick' type statements I have insufficient information to make a judgement call.

First of all, Apple apps have exactly the same problems, and no, it is not screened during the app review process. There was a recent study that found that many Apple apps were transmitting sensitive user data.

There are two key differences.

1) When you install an Apple app, you have NO idea what services on the phone it has access to. On Android, it is blatantly labeled when you install the app. In fact, it is impossible for an app to access various parts of your phone without it displaying this at time of install.

2) Apps that track other apps are not allowed on the Apple market... therefore it is IMPOSSIBLE for YOU to figure out if your apps are doing nefarious things with your data. On Android, if you so desire, you can police your own phone (with apps like the one used in this article).

In short.

You will never know on an iphone what the apps are doing with your data. There is no way for you to find out.

On Android, they'll still be doing crappy stupid stuff, but at least there are MULTIPLE ways of you KNOWING what it is doing and doing something about it.

It's really important to recognize that even highly invasive data collection by mobile applications doesn't necessarily pose a threat to users.

Yes it does - 'highly invasive data collection' always poses a threat to the user. You'd have to be naiive to think that personal data, once out of your control, cannot be used in nefarious ways. Jesus, even your phone number, in the hands of a telemarketer, can become a tool for harrassment. Let's not even bring up identity theft through database triangulation...

The horse is already out of the barn. The object lesson here is to build better barns. And never trust anyone outside of close personal friends and (usually) family.

When a mobile advertising widget embedded in Android applications collects IMEI numbers so that it can correlate a user's activity across multiple applications for the purpose of extrapolating a behavioral profile that will support more effective targeted advertising, it's really not all that different from what prominent Internet advertising networks are already doing with cookies in the Web browser.

Except that I can clear my cookies, but I can't clear my IMEI (without buying a new phone).

Bottom line, the Android Market needs to entice app makers to enter a short explanation for each permission their app demands. These explanations can be hidden/collapsed by default, and even though accuracy isn't guaranteed, just having them available to see will help reassure users and stigmatize sloppy or malicious app makers.

I do not agree with the absoluteness of this statement: "Invasive mobile data collection by advertisers isn't bad if users are getting something of value in return."

"isn't" is too absolute. If you'd said "might," that would have been almost acceptable. In this case, however, I must respectfully disagree.

Is there such a thing as a firewall app for android? If there isn't, there really needs to be. There's no reason for your phone to be passing any info unless you tell it to, or for connection to the wireless network. All a phone should be doing in the background is maintaining a connection to the cellular network.

If I want GPS, I'll ask for it. Thanks for the article, but next time, consider being less absolute with such a staggeringly absolute statement that is more your opinion than fact.

The real answer to this is to treat features that can leak sensitive data the same way as firewall rules - the application can request whatever it wants and you can warn the user at install time, but the user should also have the option to block specific APIs from specific apps. For instance, I don't wish to allow any apps except my mapping app to get GPS data. I don't want ANYTHING except the phone app to access the voice dialer portion of the phone. Etc.

So a simple control panel that lets you block specific features from specific apps - and temporarily enable them if you wish - would kill all these problems immediately.

Of course, this won't be done, because it interferes with advertising models. For the same reason, mobile browsers NEED adblocking software, but won't get it.

Without a list of 'we sell your data to doubleclick' type statements I have insufficient information to make a judgement call.

That would probably require lengthy testing with human intervention (aka time & money). It's trivial for the Market's automated system to read through an app's API calls and see what system functionality it's accessing. Parsing out exactly what data goes would require stepping through the app for an extended period and watching its network traffic.

Over the past several months I have become more cautious about apps. If a game or a network widget accesses phone records or other personal data that it clearly doesn't need, I look for a different app that's less intrusive.

First of all, Apple apps have exactly the same problems, and no, it is not screened during the app review process. There was a recent study that found that many Apple apps were transmitting sensitive user data.

Do you have any proof for these assertions?

Gigaflop wrote:

You will never know on an iphone what the apps are doing with your data. There is no way for you to find out.

On Android, they'll still be doing crappy stupid stuff, but at least there are MULTIPLE ways of you KNOWING what it is doing and doing something about it.

Is this really true? If the app is using iAd and warns me every time I launch it to access my location, should I worry?

So if an application puts out a free version that makes money through advertising, is this inherently bad? If said app requests GPS statistics (something you see when installing the app) in order to attempt to send you ads that are actually somewhat relevant is this inherently bad?

I'm just wondering because I look at what kinds of access an application is granted when I install it. If there is an application that I find valuable yet for whatever reason do not want to pay for, I might not mind anonymous stats being sent in order to serve be relevant ads and keep the application free. It's the same thing with pretty much any free service on the web. Chances are you either pay for it, look at ads, or provide valuable marketing data.